Ivanti Connect Secure, formerly known as Pulse Connect Secure, has been found to have two zero-day vulnerabilities, namely CVE-2023-46805 and CVE-2024-21887, which were exploited by threat actors likely connected to China. These vulnerabilities could allow an attacker to execute arbitrary commands on appliances. Ivanti has issued mitigations, but patches are expected to be available in the week of January 22. CISA has added the zero-days to its exploited vulnerabilities catalog, urging government agencies to take action by January 31. According to Rapid7, over 7,000 internet-exposed instances could be vulnerable, with most located in the United States, Japan, and Europe. Mandiant identified the threat actor as UNC5221, and the likely goal appears to be espionage. The attackers have used five malware families, including webshells, droppers, backdoors, and information stealers, to maintain access to high-value compromised systems even after patches are released. The vulnerabilities have been exploited since at least December 2023.

Read more: https://www.securityweek.com/malware-used-in-ivanti-zero-day-attacks-shows-hackers-preparing-for-patch-rollout/